Third-party service providers can be a big help to your business by providing a deep level of expertise in areas outside of your core. But there is a risk when you reach outside your organization for help. As the economy continues its slow recovery, the topic of internal controls remains an important focal point for regulators, lenders and business owners. How aware are you of the services your company receives from third parties and the quality of that service?
Companies employ third-party service providers for a wide range of functions, from human resources to payroll processing, cash disbursement and even domestic and international shipping of goods. Whether your organization engages in outsourcing one or all of these operating functions, you are at risk of a breakdown in internal controls that, without the proper mitigation, could have a material impact on your operations.
Unfortunately, it can be all too easy to assume that controls affecting the processing of information, or other specific responsibilities such as delivery of goods, are solely the responsibility of your third-party service providers. Often, the subject of controls does not even arise until a problem occurs, such as a significant business interruption, a fraudulent activity or comments from your external auditor about a significant deficiency or material weakness noted during the audit.
So how can you ensure the proper controls are in place with your third-party service providers?
First, analyze the company’s control environment, both at the entity level and throughout its business processes. Pay particular attention to the flow of electronic data, retention of source documents and ongoing monitoring activities of those performing services outside the company. As part of this process, identify all scenarios and relevant risks, as well as their probability, to determine the impact to the company if such scenarios were to occur. Once specific risks are identified, consider controls you already have or plan to put into place to reduce the identified risk to an acceptable level.
One recent area of concern is the processing of electronic data through third-party logistic providers to facilitate their ordering process, inventory management and even contract management and repeat transactions. Strict monitoring, such as reviews of approved carrier listings, controls over authorizations, product tracking and timely reviews of inventory levels is important. Management also should require the third- party provider to provide summary data reports on a monthly or quarterly basis related to certain processing activity, inventory volume swings and other relevant information, and review those reports alongside internal operating data to ensure accuracy.
Finally, while identifying and assessing its internal controls, management should request a copy of the third-party provider’s AICPA Statement on Auditing Standards No. 70 (SAS 70) report. The SAS 70 report is a widely recognized standard and indicates that a service provider has had its control objectives and activities examined by an independent accounting and auditing firm. These reports include an independent assessment of whether proper controls are in place and suitably designed for the service provider’s operations. As businesses continually strive for optimal operating efficiency, you may find that outsourcing certain processes and responsibilities makes the most economic sense for your business. However, keep in mind that the more you outsource to service providers outside your company, the greater your exposure to certain risks that could have a significant impact on your operations if an interruption were to occur. As such, it is essential to ensure adequate controls are understood and in place for all of your third- party service providers.